Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Security - Dispatch to /j_spring_security_check

I have spring security in place and login via login.jsp works perfectly fine.

Now, I have to automatically get the user logged in based on the URL (similar to Single Sign On). I basically have a path parameter in the URL which is basically an encrypted code, I process this code to do an auto login.

I am modifying my LoginController to check if I have a valid path param using which I get my username & password, using this username & password I am doing "forward:/j_spring_security_check?j_username="+username+"&j_password="+password

This directs me to login.jsp with following error Your login attempt was not successful, try again. Caused : Authentication method not supported: GET

I have also tried with "redirect:/j_spring_security_check?j_username="+username+"&j_password="+password but with no help.

Call to /j_spring_security_check is a POST but forward: & redirect: is doing a GET, so how can I dispatch to /j_spring_security_check as POST from my LoginController?

Thanks

like image 304
Ayaz Pasha Avatar asked Mar 21 '13 10:03

Ayaz Pasha


2 Answers

/j_spring_security_check URL is mapped to UsernamePasswordAuthenticationFilter to serve the requests.

In UsernamePasswordAuthenticationFilter, by default, the postOnly is set to true.

The following change in spring-security.xml which sets postOnly to false worked.

<bean id="authenticationFilter" 
      class="org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter"
      p:postOnly="false" />

Also, in web.xml, the following configuration is required:

<filter-mapping> <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
    <dispatcher>REQUEST</dispatcher>
    <dispatcher>FORWARD</dispatcher>
</filter-mapping>
like image 180
Ayaz Pasha Avatar answered Oct 04 '22 02:10

Ayaz Pasha


You could bypass the check by using a request wrapper which returns "POST" instead of "GET" for getMethod.

However, the check is there for a reason. It is generally considered bad practice to send credentials as URL parameters. Even if you are using an encrypted parameter, it is still technically equivalent to sending unencrypted authentication credentials since anyone who steals it can use it to authenticate.

like image 31
Shaun the Sheep Avatar answered Oct 04 '22 01:10

Shaun the Sheep